DWL@IBM.COM (David W. Levine) (02/03/90)
When we try to evaluate schemes for detecting and preventing
the spread of viruses, it's important to remember that a virus
uses those operations a user normally does to spread. If a
virus only infects programs when you do something to modify
an executable program, you now have to determine that the
modification that was made was the one you desired. That's
a correctness problem, which we know is undecidable.
Determining what's executable, on modern day systems, is
also a very hard problem. Any systems that have shell
languages, or interpreters complicate this task immeasurably.
What does a shell script look like? A text file. What does
a hyper-text stack look like? While the current generation
of micro-computer viruses live mostly in program images,
there is no requirement that this be true in the future.
We can slow down the spread of viruses through lots of
different mechanisms, but each of these mechanisms reduces
the utility of computers. As long as we want our computers
to be general purpose machines, with lots of flexibility,
the virus writers will be able to exploit a programs legitimate
capabilities to spread viruses. Distinguishing between normal,
legitimate, change and illicit change is a very difficult problem.
- David W. Levine